Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 2 subscribers
  • Views 11353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP over SSL/TLS Port 21 passive blocked; what to do?

open
Hello, 

I want to connect to a FTP server on port 21 passive with SSL/TLS, but this is blocked by UTM.

Which firewall settings do I need to connect to the FTP?


This thread was automatically locked due to age.
  • 0
    In addition to the related line(s) in the FTP log file, what do you see in the others listed in #1 in Rulz?

    Cheers - Bob
    PS Please always remember to state the exact version of UTM - 9.109-1?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I do have exactly the same problem. The logs show nothing. On Coda 2 it says illegal port.
  • 0
    It sounds like Coda is doing the blocking...

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I have this problem only behind a UTM. When I have access without a UTM Coda works with the same configuration.
  • 0
    Take another look at the log files mentioned in post #2 above.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I am running 9.201-23 .

    I have looked at your rulz a second time. I can't find anything, normal FTP without SSL/TLS works.

    Actually I have no idea at which log file I should look at?
  • 0
    Rule #1:

        Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs.


    Rule #2:

        In general, a packet arriving at an interface is handled only by one of the following, in order: DNATs first, then VPNs and Proxies and, finally, manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn't already handled the traffic. (see attachment below) 


    Check those 2 points first! There should be a block in Firewall logs or somwhere else!

    the new sophos board sucks... :-( please give us the old one back.

  • 0
    My MacBook is 192.168.12.114 and 80.237.132.8 the server.

    15:46:16  Standard-VERWERFEN  TCP    
    192.168.12.114  :  61675
    → 
    80.237.132.8  :  52525
      
    [SYN]  len=64  ttl=63  tos=0x00  srcmac=b8:e8:56:4a:8:72  dstmac=0:1a:8c:14:15:18
    15:46:17  Standard-VERWERFEN  TCP    
    192.168.12.114  :  61675
    → 
    80.237.132.8  :  52525
      
    [SYN]  len=64  ttl=63  tos=0x00  srcmac=b8:e8:56:4a:8:72  dstmac=0:1a:8c:14:15:18
    15:46:18  Standard-VERWERFEN  TCP    
    192.168.12.114  :  61675
    → 
    80.237.132.8  :  52525
      
    [SYN]  len=64  ttl=63  tos=0x00  srcmac=b8:e8:56:4a:8:72  dstmac=0:1a:8c:14:15:18
    15:46:19  Standard-VERWERFEN  TCP    
    192.168.12.114  :  61675
    → 
    80.237.132.8  :  52525
      
    [SYN]  len=64  ttl=63  tos=0x00  srcmac=b8:e8:56:4a:8:72  dstmac=0:1a:8c:14:15:18
    15:46:20  Standard-VERWERFEN  TCP    
    192.168.12.114  :  61675
    → 
    80.237.132.8  :  52525
      
    [SYN]  len=64  ttl=63  tos=0x00  srcmac=b8:e8:56:4a:8:72  dstmac=0:1a:8c:14:15:18
  • 0
    You gave the answer yourself with this log...

    Create a FW rule and you should be fine!

    the new sophos board sucks... :-( please give us the old one back.

  • 0
    Yeah I know, but the problem is, that the ports change with every connection attempt. So I can't specify the port.

    *****
    Okay with Port 1:65535 to 1:65535 it works.
Cookie Information Banner